Sunday 15 August 2010

Smartphones Not Ready for Mobile TANs

In the last weeks we had an outbreak of security issues with smart phones. The most famous was the pdf font bug that hit the iPhone and other iOS devices which was fixed by Apple with iOS 4.0.2. This one was really dangerous because it could infect iPhones just by opening an infective web site.
Then we had a rootkit for Android phones. A first criminal exploitation was a Trojan, also for Android, that sent text messages to premium numbers.
Of course there is much more. The reason for this is, of course, that there is no magical security for telephones. Old-style telephone-and-SMS-only phones were simply too dumb to be hacked (if we disregard the occasional bluetooth hack). Modern smartphones are normal computers that happen to contain a radio baseband chip.
However, we have that security feature M-TAN or Mobile TAN for online banking. When a M-TAN user has entered their transaction into the online banking website, they get a SMS with some details on the transaction and the M-TAN number. If the details of the transaction look good, they enter the M-TAN into the web site to complete the transaction.

So, here is the criminal master plan:
  1. own as many PCs as you get
  2. own as many smartphones as possible
  3. match smartphones and PCs
  4. start phony transactions on the PC
  5. capture the resulting SMS
  6. send the M-TAN to the Trojan on the PC
  7. Profit
Sounds complicated, but if everyone has a backup of their smart phone on the PCs step 3 should be quite easy and the only remaining issue for the criminal is whether they find enough matches so that the plan is worth the effort.

A promising version of this plan would be to attack the smart phone via the infected PC. In iPhone speak this would be called the "trojan jailbreak". If this can be done without the user noticing it, the M-TAN is completely broken.

I don't recommend using M-TANs on a smartphone.